On Mon, Feb 2, 2015 at 9:59 AM, Khoshal A R. <[email protected]> wrote: > Hi, > > I tried without changing the rule_id , but somewhere in the on the online > docs I got this idea to use the new rule ID, however now as you mentioned I > ve reverted back and to narrow the issue I m pasting the config entry in > local_rules.xml and the corresponding output from > /var/ossec/logs/alerts/alerts.log >
If you figure out what part of the documentation gave you that idea, let me know and I'll try to make it more clear. > This is the entry in local_rules.xml: > > <rule id="18106" level="13" overwrite="yes"> > <if_sid>18105</if_sid> > > <id>^529$|^530$|^531$|^532$|^533$|^534$|^535$|^536$|^537$|^539$|^4625$</id> > <description>Windows Logon Failure.</description> > <group>win_authentication_failed,</group> > </rule> > > Then I tried with the invalid password to one of our windows agent and here > is the output from alerts.log > > ** Alert 1422888616.112065949: - windows,win_authentication_failed, > 2015 Feb 02 14:50:16 (RZP_NA_PROD_RDP01) 10.0.0.6->WinEvtLog > Rule: 18138 (level 7) -> 'Logon Failure - Account locked out.' The rule you modified is 18106, this log message triggers 18138. I don't see anything in 18138 that would be affected by the change in 18106. I'm not very confused as to what you're trying to do, because this doesn't really make much sense. > User: (no user) > 2015 Feb 02 09:50:05 WinEvtLog: Security: AUDIT_FAILURE(4625): > Microsoft-Windows-Security-Auditing: (no user): no domain: RZPPROD-RDP01: An > account failed to log on. Subject: Security ID: S-1-0-0 Account Name: - > Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon > Failed: Security ID: S-1-0-0 Account Name: khoshalk Account Domain: > RZPPROD-RDP01 Failure Information: Failure Reason: %%2313 Status: > 0xc000006d Sub Status: 0xc0000064 Process Information: Caller Process ID: > 0x0 Caller Process Name: - Network Information: Workstation Name: BG1NB189 > Source Network Address: - Source Port: - Detailed Authentication > Information: Logon Process: NtLmSsp Authentication Package: NTLM > Transited Services: - Package Name (NTLM only): - Key Length: 0 This > event is generated when a logon request fails. It is generated on the > computer where access was attempted. > > Email alert level is set to 12 in ossec.conf and I ve restarted OSSEC after I > added to the local_rules.xml. > > Can you please figure out where exactly Im going wrong with this, > > Regards, > Khoshal AR > > > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of dan (ddp) > Sent: Monday, February 02, 2015 8:03 PM > To: [email protected] > Subject: Re: [ossec-list] overwrite rules from Local_rules.xml does not work > > On Mon, Feb 2, 2015 at 9:24 AM, Khoshal A R. > <[email protected]> wrote: >> Hi, >> Thanx for quick response. >> >> These entries are not commented in local_rules.xml, here is one sample rule >> I am trying to modify the severity, >> >> <rule id="100111" level="13" overwrite="yes"> > > I don't have a 100111, can you provide your original rule with id 100111? > Or, are you misunderstanding the overwrite option? You should use > overwrite when there is a rule in the *_rules.xml files that come with > OSSEC that you want to modify. If you are creating a new rule, you > should not be using the overwrite option. > For example, if you wanted to change the level of rule 18105, you could use: > > <rule id="18105" level="12" overwrite="yes"> > <if_sid>18100</if_sid> > <status>^AUDIT_FAILURE|^failure</status> > <description>Windows audit failure event.</description> > </rule> > > Notice how the "rule id" does not change, only the level and the > addition of the overwrite option. > >> <if_sid>18105,18106,18116</if_sid> >> <match>illegal user|invalid user</match> >> <description>Attempt to login using a non-existent user</description> >> <group>invalid_login,authentication_failed,</group> >> </rule> >> >> Also , I am restarting OSSEC after every little change in the config >> files.If I set the mail alert to less than 12 I get the alerts correctly but >> as there are too many events Im flooded with mails hence I'm trying to >> increase the severity of few events like the one above mentioned. >> >> I'm also checking the /var/ossec/logs/alerts/alerts.log after I made the >> entry in local_rules.xml and restarted OSSEC, but alerts.log still gives the >> rule number in the msauth_rules.xml and not the rule number on >> local_rules.xml, >> >> Please let me know if you need more info, >> >> Regards, >> Khoshal AR >> >> >> >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] On >> Behalf Of dan (ddp) >> Sent: Monday, February 02, 2015 7:31 PM >> To: [email protected] >> Subject: Re: [ossec-list] overwrite rules from Local_rules.xml does not work >> >> On Mon, Feb 2, 2015 at 8:57 AM, Khoshal A R. >> <[email protected]> wrote: >>> Hi, >>> >>> Can you please help me in what I m doing wrong in modifying the severity of >>> the rules that I m trying in local_rules.xml. >>> >>> OS : Kali-Linux >>> >>> OSSEC version : 2.8.1 >>> >>> >>> >>> Please find the local_rules.xml file entries below for the overwrite: >>> >>> Everything else works , but I need to change the severity of certain rules >>> for the meaningful alerts and fine tune the frequency they are executed. >>> >>> Appreciate your help. >>> >> >> Are all of these rules commented out in the local_rules.xml file as well? >> Did you restart the OSSEC processes after making the changes? >> Do you have log samples that can be tested with ossec-logtest? >> >>> >>> >>> >>> >>> >>> >>> <rule id="100102" level="12" overwrite="yes"> >>> >>> <if_sid>18104</if_sid> >>> >>> <id>^513$|^4609$</id> >>> >>> <description>Windows is shutting down.</description> >>> >>> <group>system_shutdown,</group> >>> >>> </rule> >>> >>> --> >>> >>> >>> >>> <!-- >>> >>> <rule id="100103" level="13" overwrite="yes"> >>> >>> <if_sid>18103</if_sid> >>> >>> <id>^13570$</id> >>> >>> <description>Windows file system full.</description> >>> >>> <group>low_diskspace,</group> >>> >>> </rule> >>> >>> --> >>> >>> >>> >>> <!-- >>> >>> <rule id="100104" level="12" overwrite="yes"> >>> >>> <if_sid>18100,18103</if_sid> >>> >>> <status>^ERROR</status> >>> >>> <description>Windows error event.</description> >>> >>> <group>system_error,</group> >>> >>> </rule> >>> >>> --> >>> >>> >>> >>> <!-- >>> >>> <rule id="100105" level="12" overwrite="yes"> >>> >>> <if_sid>18100,18105</if_sid> >>> >>> <status>^AUDIT_FAILURE|^failure</status> >>> >>> <description>Windows audit failure event.</description> >>> >>> </rule> >>> >>> --> >>> >>> >>> >>> </group> <!-- SYSLOG,LOCAL --> >>> >>> >>> >>> Regards, >>> >>> Khoshal AR >>> >>> Sonata Software Limited >>> >>> >>> >>> >>> >>> Disclaimer: "The materials contained in this email and any attachments may >>> contain confidential or legally privileged information. The information >>> contained in this communication is intended solely for the use of the >>> individual or entity to whom it is addressed and others authorized to >>> receive it. If you are not the intended recipient you are hereby notified >>> that any disclosure, copying, distribution or taking any action in reliance >>> on the contents of this information is strictly prohibited and may be >>> unlawful. If you have received this communication in error, please notify us >>> immediately by responding to this email and then delete it from your system. >>> Sonata is neither liable for the proper and complete transmission of the >>> information contained in this communication nor for any delay in its >>> receipt" >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> Disclaimer: "The materials contained in this email and any attachments may >> contain confidential or legally privileged information. The information >> contained in this communication is intended solely for the use of the >> individual or entity to whom it is addressed and others authorized to >> receive it. If you are not the intended recipient you are hereby notified >> that any disclosure, copying, distribution or taking any action in reliance >> on the contents of this information is strictly prohibited and may be >> unlawful. If you have received this communication in error, please notify us >> immediately by responding to this email and then delete it from your system. >> Sonata is neither liable for the proper and complete transmission of the >> information contained in this communication nor for any delay in its receipt" >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > Disclaimer: "The materials contained in this email and any attachments may > contain confidential or legally privileged information. The information > contained in this communication is intended solely for the use of the > individual or entity to whom it is addressed and others authorized to receive > it. If you are not the intended recipient you are hereby notified that any > disclosure, copying, distribution or taking any action in reliance on the > contents of this information is strictly prohibited and may be unlawful. If > you have received this communication in error, please notify us immediately > by responding to this email and then delete it from your system. Sonata is > neither liable for the proper and complete transmission of the information > contained in this communication nor for any delay in its receipt" > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
